In association with EphMRA the European Pharmaceutical Market Research Association, and BHBIA the British Healthcare Business Intelligence Association, EFAMRO asked the European Commission to:
- Review and update Standard Contractual Clauses and adopt new EU processor to non-EU or EEA processor clauses. With only 13 adequacy decisions in place, businesses need to refer to other tools listed in Chapter V. Standard contractual clauses for data transfers to third countries have not been updated since they were originally adopted. The Commission should urgently review and revise the standard contractual clauses and consider the needs of controllers and processors with the addition of new clauses to cover EU processor to non-EU or EEA processor data transfers.
- Clarify and publish additional guidance on Codes of Conduct. The different sectorial experiences in devising sector Codes has demonstrated that there is some degree of uncertainty left regarding Codes of Conduct by sectors and the same Data Protection Authorities that should be in charge of adopting them.
- Investigate further and get a better understanding of how the issue of overlapping territorial scopes of national laws implementing the GDPR has affected controllers and processors and how they are dealing with such fragmentation. The GDPR is directly applicable in all Member States but it also leaves a margin for national legislators to maintain or introduce more specific provisions to adapt the application of certain rules. This national margin has resulted in a fragmented legal landscape for some of the GDPR provisions. In turn, the non-uniform application of the GDPR across member states can create obstacles to cross border operations even intra EU.
- Highlight the broad need for practical guidelines. On the one hand, businesses may accept the best analysis that fits their interests and consequently adopting practices that would fall in a grey area at best. On the other hand, by focusing relentlessly on the methods and impacts of tech giants, the realities of micro, small and medium-sized enterprises in the application of the regulation are being overlooked. As are those sectors, such as research, which follow existing rigorous Codes which support ethical personal data practice.